Search form

Google Play infected with hundreds of malware apps

By Digital News Asia October 3, 2016

ACCORDING to security researchers, Google Play was found to be hosting hundreds of apps which could compromise security. And they have been downloaded millions of times.

For example, one malicious app infected with the 'DressCode' malware had been downloaded almost 500,000 times before it was removed. According to Trend Micro researchers, once the trojanised app is installed, DressCode connects with its command and control (C&C) server. In earlier versions, the malware authors used a hardcoded IP address for its C&C server, but it has since been replaced by a domain.

A background service creates a Transmission Control Protocol (TCP) socket that connects the compromised device with the C&C server and sends a “hello” string to finish registering. Once the C&C server prompts the device to establish a TCP connection between it and the attacker. the device will receive commands from the attacker via the SOCKS protocol.

The compromised device can act as a proxy that relays traffic between the attacker and internal servers the device is connected to - think of it as a tunnel.

Another app, Mod GTA 5 for Minecraft PE was thought to be a benign game. But there was something nefarious in it. There was a component that established a persistent connection with an attacker controlled server.

The server could then bypass the network address translation protections that shield individual devices inside a network. Trend Micro says the company has found 3,000 such apps, 400 of which were available through Google Play.

Network address translation (NAT) is a method of remapping one IP address space into another by modifying network address information. The technique was originally used for ease of rerouting traffic in IP networks without renumbering every host. It has become a popular and essential tool in conserving global address space allocations by sharing one internet-routable IP address of a NAT gateway for an entire private network.

According to Trend Micro, this malware allows threat actors to infiltrate a user’s network environment. If an infected device connects to an enterprise network, the attacker can either bypass the NAT device to attack the internal server or download sensitive data using the infected device as a springboard.

This is not the first time that infected apps have been found on Google Play. Another security company, Checkpoint, had previously detected similar apps.

The real problem for security researchers is that only a small portion of the apps is dedicated to malicious attacks. This makes detection very difficult.

Four years ago, Google had introduced a cloud-based app scanner. But it looks like the scanner is not very efficient. Third parties are now finding more malware on Google Play than the host company.